Re: [openssl-users] OpenSSL 1.0.2d X509_verify_cert function does not work as used to with chain of certificates

2015-11-16 Thread Jayalakshmi bhat
Hi Matt, Thank you for the response. I have attached the certificates details. My apology I am not supposed to share the certificates. We are not using X509_VERIFY_PARAM_xxx API's. We are using 4 certificates with the device. 1. Root CA- Baltimore CyberTrust Root 2. Intermediate CA-1 - Microsoft

Re: [openssl-users] OpenSSL 1.0.2d X509_verify_cert function does not work as used to with chain of certificates

2015-11-16 Thread E T
Could it be because your CA-2 has the following: Extended Key Usage - Client Authentication, Server Authentication? Some fields that in general only apply to end certificates, e.g. name constraints, when used in a CA certificate, are interpreted as constraints on the certificates that can be

Re: [openssl-users] OpenSSL 1.0.2d X509_verify_cert function does not work as used to with chain of certificates

2015-11-16 Thread Jakob Bohm
Probably not, that constraint is satisfied since this is SSL/TLS and the end cert has that same EKU. On 16/11/2015 22:37, E T wrote: Could it be because your CA-2 has the following: Extended Key Usage - Client Authentication, Server Authentication? Some fields that in general only apply to

Re: [openssl-users] OpenSSL 1.0.2d X509_verify_cert function does not work as used to with chain of certificates

2015-11-16 Thread Jakob Bohm
At most one of CA-1 and CA-2 would be part of the chain from Baltimore to the end cert. However your end cert (apparently for hosted Sharepoint services) was issued by a 3rd MSIT CA that was not provided. If it wasn't provided to the code either, the chain would not validate for that reason

Re: [openssl-users] OpenSSL 1.0.2d X509_verify_cert function does not work as used to with chain of certificates

2015-11-16 Thread Matt Caswell
On 16/11/15 06:52, Jayalakshmi bhat wrote: > Hi Victor, > > Thanks a lot for details explanation. > > Our device acts as TLS/SSL client. The device receives chain of > certificates as part of SSL handshake, when it is trying to get > connected to TLS/SSL server like sharepoint 365. > >

[openssl-users] OpenSSL 1.0.2d X509_verify_cert function does not work as used to with chain of certificates

2015-11-15 Thread Jayalakshmi bhat
Hi All, In earlier version of OpenSSL (i.e OpenSSL 1.0.1c) X509_verify_cert had a check * if (params->trust >0)* before invoking check_trust function. This has been removed in OpenSSL 1.0.2d. Does it mean applications are expected to set the X509_VERIFY_PARAM properly? Our application works

Re: [openssl-users] OpenSSL 1.0.2d X509_verify_cert function does not work as used to with chain of certificates

2015-11-15 Thread Viktor Dukhovni
On Sun, Nov 15, 2015 at 07:00:06PM +0530, Jayalakshmi bhat wrote: > In earlier version of OpenSSL (i.e OpenSSL 1.0.1c) X509_verify_cert had a > check * if (params->trust >0)* before invoking check_trust function. The OpenSSL source code is available via git:

Re: [openssl-users] OpenSSL 1.0.2d X509_verify_cert function does not work as used to with chain of certificates

2015-11-15 Thread Jayalakshmi bhat
Hi Viktor, Thank you for the response. This is the code snippet from OpenSSL 1.0.2d. int X509_verify_cert(X509_STORE_CTX *ctx) { /* we now have our chain, lets check it... */ i =

Re: [openssl-users] OpenSSL 1.0.2d X509_verify_cert function does not work as used to with chain of certificates

2015-11-15 Thread Viktor Dukhovni
> On Nov 16, 2015, at 12:14 AM, Jayalakshmi bhat > wrote: > > This is code snippet from OpenSSL 1.0.1c > > int X509_verify_cert(X509_STORE_CTX *ctx) { > > > > > /* The chain

Re: [openssl-users] OpenSSL 1.0.2d X509_verify_cert function does not work as used to with chain of certificates

2015-11-15 Thread Jayalakshmi bhat
Hi Victor, Thanks a lot for details explanation. Our device acts as TLS/SSL client. The device receives chain of certificates as part of SSL handshake, when it is trying to get connected to TLS/SSL server like sharepoint 365. While validating the certificate chain from server, "*check_trust"

Re: [openssl-users] OpenSSL 1.0.2d X509_verify_cert function does not work as used to with chain of certificates

2015-11-15 Thread Viktor Dukhovni
On Mon, Nov 16, 2015 at 01:10:19AM -0500, Viktor Dukhovni wrote: > > You should probably explain what you're doing, and in what way OpenSSL 1.0.2 > > (all upstream versions) is not working the way you expect. On Mon, Nov 16, 2015 at 12:22:48PM +0530, Jayalakshmi bhat wrote: > Our device acts as

Re: [openssl-users] OpenSSL 1.0.2d X509_verify_cert function does not work as used to with chain of certificates

2015-11-15 Thread Jayalakshmi bhat
Hi Victor, First thing kindly note that I am talking about *OpenSSL-1.0.1c* not about OpenSSL 1.0.2c. So far we were using *OpenSSL-1.0.1c* and server validation was working fine. Recently we upgraded the OpenSSL library to *OpenSSL-1.0.2d. * Also we have not done any modification to the SSL